Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:10
Behavioral task
behavioral1
Sample
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
Resource
win10v2004-20241007-en
General
-
Target
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
-
Size
1.7MB
-
MD5
9d62f5b5d9eca0a94ba46565918695f0
-
SHA1
71bfc63978a703ba9f0b18dae7d2ca67018b7fe8
-
SHA256
a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
-
SHA512
a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199
-
SSDEEP
24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 1188 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 1188 schtasks.exe 82 -
resource yara_rule behavioral2/memory/4524-1-0x0000000000640000-0x00000000007F6000-memory.dmp dcrat behavioral2/files/0x000a000000023b93-29.dat dcrat behavioral2/files/0x000d000000023b30-55.dat dcrat behavioral2/files/0x000e000000023b86-78.dat dcrat behavioral2/files/0x000c000000023b8f-89.dat dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2640 powershell.exe 5112 powershell.exe 3940 powershell.exe 1456 powershell.exe 3460 powershell.exe 4040 powershell.exe 3976 powershell.exe 2524 powershell.exe 4476 powershell.exe 3632 powershell.exe 3584 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe -
Executes dropped EXE 2 IoCs
pid Process 3280 OfficeClickToRun.exe 1364 OfficeClickToRun.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Java\jre-1.8\winlogon.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Program Files\Java\jre-1.8\cc11b995f2a76d a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Java\jre-1.8\RCX8948.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Java\jre-1.8\RCX89C6.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Program Files\Java\jre-1.8\winlogon.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\RCX9053.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\RCX90D1.tmp a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\6ccacd8608530f a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OfficeClickToRun.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3420 schtasks.exe 3944 schtasks.exe 3016 schtasks.exe 4272 schtasks.exe 920 schtasks.exe 3468 schtasks.exe 4836 schtasks.exe 1680 schtasks.exe 4388 schtasks.exe 1708 schtasks.exe 64 schtasks.exe 4644 schtasks.exe 2080 schtasks.exe 2648 schtasks.exe 2544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 2524 powershell.exe 2524 powershell.exe 3976 powershell.exe 3976 powershell.exe 4040 powershell.exe 4040 powershell.exe 3940 powershell.exe 3940 powershell.exe 3460 powershell.exe 3460 powershell.exe 3584 powershell.exe 3584 powershell.exe 4476 powershell.exe 4476 powershell.exe 1456 powershell.exe 1456 powershell.exe 2640 powershell.exe 2640 powershell.exe 3632 powershell.exe 3632 powershell.exe 5112 powershell.exe 5112 powershell.exe 1456 powershell.exe 5112 powershell.exe 2524 powershell.exe 3976 powershell.exe 3940 powershell.exe 4476 powershell.exe 4040 powershell.exe 3460 powershell.exe 3584 powershell.exe 2640 powershell.exe 3632 powershell.exe 3280 OfficeClickToRun.exe 3280 OfficeClickToRun.exe 3280 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 3280 OfficeClickToRun.exe Token: SeDebugPrivilege 1364 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4524 wrote to memory of 1456 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 98 PID 4524 wrote to memory of 1456 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 98 PID 4524 wrote to memory of 3460 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 99 PID 4524 wrote to memory of 3460 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 99 PID 4524 wrote to memory of 2524 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 100 PID 4524 wrote to memory of 2524 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 100 PID 4524 wrote to memory of 4040 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 101 PID 4524 wrote to memory of 4040 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 101 PID 4524 wrote to memory of 3976 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 102 PID 4524 wrote to memory of 3976 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 102 PID 4524 wrote to memory of 2640 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 103 PID 4524 wrote to memory of 2640 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 103 PID 4524 wrote to memory of 4476 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 104 PID 4524 wrote to memory of 4476 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 104 PID 4524 wrote to memory of 5112 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 105 PID 4524 wrote to memory of 5112 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 105 PID 4524 wrote to memory of 3632 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 106 PID 4524 wrote to memory of 3632 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 106 PID 4524 wrote to memory of 3940 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 107 PID 4524 wrote to memory of 3940 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 107 PID 4524 wrote to memory of 3584 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 108 PID 4524 wrote to memory of 3584 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 108 PID 4524 wrote to memory of 3136 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 120 PID 4524 wrote to memory of 3136 4524 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe 120 PID 3136 wrote to memory of 4164 3136 cmd.exe 122 PID 3136 wrote to memory of 4164 3136 cmd.exe 122 PID 3136 wrote to memory of 3280 3136 cmd.exe 126 PID 3136 wrote to memory of 3280 3136 cmd.exe 126 PID 3280 wrote to memory of 4272 3280 OfficeClickToRun.exe 127 PID 3280 wrote to memory of 4272 3280 OfficeClickToRun.exe 127 PID 3280 wrote to memory of 2544 3280 OfficeClickToRun.exe 128 PID 3280 wrote to memory of 2544 3280 OfficeClickToRun.exe 128 PID 4272 wrote to memory of 1364 4272 WScript.exe 132 PID 4272 wrote to memory of 1364 4272 WScript.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i3nWZXdZXo.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4164
-
-
C:\Recovery\WindowsRE\OfficeClickToRun.exe"C:\Recovery\WindowsRE\OfficeClickToRun.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57fffc77-169a-42ae-bfd1-3359079ef332.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Recovery\WindowsRE\OfficeClickToRun.exeC:\Recovery\WindowsRE\OfficeClickToRun.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5061097-32c1-4490-8f1b-39aab253e705.vbs"4⤵PID:2544
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD53a9bc73020a1a6d0e2766d443c6250d6
SHA111c0b2bfa6786c4f362fb7a74c4491cdfbf9f310
SHA2560df963a043df4e9dd4a316175dbbb313cdfccc20e245bc561759c00ba5e7a352
SHA5126120d438d570df48cd9f914b0245f61359743144fa4644698cd982b774d06560bc50c2c553cc0d5576dad8a1b86b126b95357ac662b9950d2f90b34c717a815c
-
Filesize
1.7MB
MD54aa38b53d097cfa68c4e74e2e89d2b1f
SHA161ebabde3735e88f9cf14670373d2c5117290b5b
SHA256c1b84af9be473974dbbce2bb5b9b90b6fee3283d23aac2cff15e7c40114aeaf3
SHA51203785dbd68fb91580995158e9fde490c55623886f98772a1e76266b806c8e863351956fabb18ec3256efd4f5f397160839d0d1c17f3bb088884d3dea958ea69f
-
Filesize
1KB
MD53ad9a5252966a3ab5b1b3222424717be
SHA15397522c86c74ddbfb2585b9613c794f4b4c3410
SHA25627525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
718B
MD5a002c785c46d2397c33d60b74dde9eb6
SHA1639a6a8b6fe6d6dd1fe9b213af2fb49047a03285
SHA256de0dccc6ecd50bd0f17736d1f772b31a2647584189abfe20fd8498e4943f2341
SHA512445e6bb366f1751e35798e1606ff6d3dc8e97cce7ce358bc51975dac619d4c84e4341c7237c4763a9e501f798b4a432865752b4a99301cd87b9161c0957ccdb8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
494B
MD5cd414d5b52c887c5034e90b9204badd5
SHA18a6e0b10706b3bf4188ea104e4456289f816aa8c
SHA2566f3f614ede9f19708c9325b48a00a4d37166705ab8219a752bfeb8f543a0e981
SHA512206f964d39efa9493573941b90af560bdeba132f8f10968204abf01d82d4b53b1a0e59d93e24846d401ce03d1d29bb7b0e74adfbbdb59ecbb5eab69195dbcde4
-
Filesize
207B
MD5814d716a5937af1da0fd5e30a5bfded8
SHA10b6f3a13d2b5f12741e571d9fe66d356df8dd1b2
SHA2568636ab48c8c83d3cfff644ef29a97e3f1a81f3d333ce583e4efab3c006ba7f33
SHA512e05fcd46c97525cf34dc3367172ab5aca18e9e9dca57aba9b3dbbaeeb9210fa3f837af88bdd5138410525c7e79cf25fa93d86b6c6e699202211c0ac6a935be41
-
Filesize
1.7MB
MD59d62f5b5d9eca0a94ba46565918695f0
SHA171bfc63978a703ba9f0b18dae7d2ca67018b7fe8
SHA256a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
SHA512a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199
-
Filesize
1.7MB
MD556a5fef2f8bb53683b570436bd6fc924
SHA17d0f2f230492929e25e4b836143fc82f4b4c7098
SHA256e64251aba080cc985aa755e6bc1ea69f8854776d1c6b65251b6d252a6919b62e
SHA512994ff86273b0b22d4c0218da4fadcf0c51b7f17551281b08de5741fc0329488bfaae9b7b08b62a472a5a40bdd6875a7536157ec4143282414098d5c63b06c143